summaryrefslogtreecommitdiff
path: root/usr.sbin/smtpd
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2014-04-29 21:04:18 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2014-04-29 21:04:18 +0000
commit85366ef6d9aa5230142e6c32174d2e87d57ade47 (patch)
treee056d1e072ea52265a0c6a8581e1c50f3e6f72b8 /usr.sbin/smtpd
parent6cee6c24d8e925542f5b06eb99f2384d319c4703 (diff)
For RSA private key privsep, only ever load the keys after forking the
separated process. This improves the previous because we don't trust the PEM and BIO routines to cleanup the keys correctly. ok gilles@
Diffstat (limited to 'usr.sbin/smtpd')
-rw-r--r--usr.sbin/smtpd/smtpd.c27
1 files changed, 24 insertions, 3 deletions
diff --git a/usr.sbin/smtpd/smtpd.c b/usr.sbin/smtpd/smtpd.c
index 8abf47dda7e..482f9440740 100644
--- a/usr.sbin/smtpd/smtpd.c
+++ b/usr.sbin/smtpd/smtpd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smtpd.c,v 1.223 2014/04/29 19:13:13 reyk Exp $ */
+/* $OpenBSD: smtpd.c,v 1.224 2014/04/29 21:04:17 reyk Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -76,6 +76,7 @@ static void purge_task(void);
static void log_imsg(int, int, struct imsg *);
static int parent_auth_user(const char *, const char *);
static void load_pki_tree(void);
+static void load_pki_keys(void);
enum child_type {
CHILD_DAEMON,
@@ -579,6 +580,7 @@ main(int argc, char *argv[])
if (env->sc_opts & SMTPD_OPT_NOACTION) {
load_pki_tree();
+ load_pki_keys();
fprintf(stderr, "configuration OK\n");
exit(0);
}
@@ -691,8 +693,6 @@ load_pki_tree(void)
if (! ssl_load_certificate(pki, pki->pki_cert_file))
fatalx("load_pki_tree: failed to load certificate file");
- if (! ssl_load_keyfile(pki, pki->pki_key_file, k))
- fatalx("load_pki_tree: failed to load key file");
if (pki->pki_ca_file)
if (! ssl_load_cafile(pki, pki->pki_ca_file))
@@ -703,6 +703,23 @@ load_pki_tree(void)
}
}
+void
+load_pki_keys(void)
+{
+ struct pki *pki;
+ const char *k;
+ void *iter_dict;
+
+ log_debug("debug: init ssl-tree");
+ iter_dict = NULL;
+ while (dict_iter(env->sc_pki_dict, &iter_dict, &k, (void **)&pki)) {
+ log_debug("info: loading pki keys for %s", k);
+
+ if (! ssl_load_keyfile(pki, pki->pki_key_file, k))
+ fatalx("load_pki_keys: failed to load key file");
+ }
+}
+
static void
fork_peers(void)
{
@@ -728,6 +745,10 @@ post_fork(int proc)
close(control_socket);
control_socket = -1;
}
+
+ if (proc == PROC_LKA) {
+ load_pki_keys();
+ }
}
struct child *